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ABSTRACT 


A  formal  framework  is  developed  for  proving  correctness  of  algorithms  which  implement  nested 
transactions.  In  particular,  a  simple  'action  tree*  data  structure  is  defined,  which  describes  the 
ancestor  relationships  among  executing  transactions  and  also  describes  the  views  which  different 
transactions  have  of  the  data.  A  generalization  of  "serializability"  to  the  domain  of  nested 
transactions  with  failures,  is  defined.  A  characterization  is  given  for  this  generalization  of 
serializability,  in  terms  of  absence  of  cycles  in  an  appropriate  dependency  relation  on  transactions.  A 
slightly  simplified  version  of  Moss'  locking  algorithm  is  presented  in  detail,  and  a  careful  correctness 
proof  is  given. 

The  style  of  correctness  proof  appears  to  be  quite  interesting  in  its  own  right.  The  description  of 
the  algorithm,  from  its  initial  specification  to  its  detailed  implementation,  is  presented  as  a  series  of 
■•event-state  algebra’  levels,  each  of  which  "simulates"  the  previous  one  in  a  straightforward  way.  ^ 
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1.  Introduction 

In  the  past  few  years,  there  has  been  considerable  research  on  concurrency  control,  including 
both  systems  design  and  theoretical  study.  The  problem  is  roughly  as  follows.  Data  in  a  large 
(centralized  or  distributed)  database  is  assumed  to  be  accessible  to  users  via  transactions,  each  of 
which  is  a  sequential  program  which  can  carry  out  many  steps  accessing  individual  data  objects.  It  is 
important  that  the  transactions  appear  to  execute  "atomically",  i.e.  without  intervening  steps  of  other 
transactions.  However,  it  is  also  desirable  to  permit  as  much  concurrent  operation  of  different 
transactions  as  possible,  for  efficiency.  Thus,  it  is  not  generally  feasible  to  insist  that  transactions  run 
completely  serially.  A  notion  of  equivalence  for  executions  is  defined,  where  two  executions  are 
equivalent  provided  they  "look  the  same"  to  all  transactions  and  to  all  data  objects.  The  serializable 
executions  are  just  those  which  are  equivalent  to  serial  executions.  One  goal  of  concurrency  control 
design  is  to  insure  that  all  executions  of  transactions  be  serializable. 

Several  characterization  theorems  have  been  proved  for  serializability;  generally,  they  amount  to 
the  absence  of  cycles  in  some  relation  describing  the  dependencies  among  the  steps  of  the 
transactions.  A  very  large  number  of  concurrency  control  algorithms  have  been  devised.  Typical 
algorithms  are  those  based  on  two- phase  locking  [EGLT],  and  those  based  on  timestamps  [La]. 
Although  many  of  these  algorithms  are  very  different  from  each  other,  they  can  all  be  shown  to  be 
correct  concurrency  control  algorithms.  The  correctness  proofs  depend  on  the  absence-of-cycles 
characterizations  for  serializability. 

More  recently,  it  has  been  suggested  [Re,  M,  LiS]  that  some  additional  structure  on  transactions 
might  be  useful  for  programming  distributed  databases,  and  even  for  programming  more  general 
distributed  systems.  The  suggested  structure  permits  transactions  to  be  nested.  Thus,  a  transaction 
is  not  necessarily  a  sequential  program,  but  rather  can  consist  of  (sequential  or  concurrent)  sub¬ 
transactions.  The  intention  is  that  the  sub-transactions  are  to  be  serialized  with  respect  to  each 
other,  but  the  order  of  serialization  need  not  be  completely  specified  by  the  writer  of  the  transaction. 
This  flexibility  allows  more  concurrency  in  the  implementation  than  would  be  possible  with  a  single- 
level  transaction  structure  consisting  of  sequential  transactions.  The  general  structure  allows 
transactions  to  be  nested  to  any  depth,  with  only  the  leaves  of  the  nesting  tree  actually  performing 
accesses  to  data. 

Transactions  are  often  used  not  only  as  a  unit  of  concurrency,  but  also  as  a  unit  of  recovery.  In  a 
nested  transaction  structure,  it  is  natural  to  try  to  localize  the  effects  of  failures  within  the  closest 
possible  level  of  nesting  in  the  transaction  nesting  tree.  One  is  naturally  led  to  a  style  of  programming 
which  permits  a  transaction  to  create  children,  and  to  tolerate  the  reported  failure  of  some  of  its 
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children,  using  the  information  about  the  occurrence  of  the  failures  to  decide  on  its  further  activity. 
The  intention  is  that  failed  transactions  are  to  have  no  effect  on  the  data  or  on  other  transactions. 
This  style  of  programming  is  a  generalization  of  the  "recovery  block"  style  of  [Ra]  to  the  domain  of 
concurrent  programming.  Indeed,  this  style  seems  to  be  especially  suitable  for  programming 
distributed  systems,  since  many  types  of  failures  of  pieces  of  programs  are  likely  to  occur  in  such 
systems. 

Reed  is  currently  implementing  a  system  which  uses  multiple  versions  of  data  to  implement  nested 
transactions  which  tolerate  failures  of  sub-transactions.  Moss  has  abstracted  away  from  Reed's 
specific  implementation  of  nested  transactions,  and  has  presented  a  clear  intuitive  description  of  the 
nested  transaction  model.  He  has  also  developed  an  alternative  implementation  of  the  nested 
transaction  model,  based  on  two-phase  locking.  This  model  and  implementation  are  fundamental  to 
the  Argus  distributed  computing  language,  now  under  development  by  Liskov's  group  at  MIT. 

The  basic  correctness  criteria  for  nested  transactions  seem  to  be  clear  enough,  intuitively,  to 
allow  implementors  a  sufficient  understanding  of  the  requirements  for  their  implementation. 
However,  some  subtle  issues  of  correctness  have  arisen  in  connection  with  the  behavior  of  failed 
sub  transactions.  For  example,  the  Argus  group  has  decided  that  a  pleasant  property  for  an 
implementation  to  have  is  that  all  transactions,  including  even  "orphans"  (subtransactions  of  failed 
transactions),  should  see  "consistent"  views  of  the  data  (i.e.  views  that  could  occur  during  an 
execution  in  which  they  are  not  orphans).  The  implementation  goes  to  considerable  lengths  to  try  to 
insure  this  property,  but  it  is  difficult  for  the  implementors  to  be  sure  that  they  have  succeeded. 

It  seems  clear  that  some  basic  groundwork  is  needed  before  such  properties  can  be  proved. 
Namely,  the  theory  already  developed  for  concurrency  control  of  single-level  transaction  systems 
without  failures  needs  to  be  generalized  to  incorporate  considerations  of  nesting  and  failures.  The 
model  needs  to  be  formal,  in  order  to  allow  careful  specification  of  all  the  correctness  requirements 
the  simple  and  intuitive  ones,  as  well  as  the  rather  subtle  ones. 

This  paper  begins  to  develop  this  groundwork.  First,  a  simple  "action  tree"  structure  is  defined, 
which  describes  the  ancestor  relationships  among  executing  transactions  and  also  describes  the 
views  which  different  transactions  have  of  the  data.  A  generalization  of  serializability  to  the  domain  of 
nested  transactions  with  failures,  is  defined.  A  characterization  is  given  for  this  generalization  of 
serializability,  in  terms  of  absence  of  cycles  in  an  appropriate  dependency  relation  on  transactions.  A 
slightly  simplified  version  of  Moss'  algorithm  is  presented  in  detail,  and  a  careful  correctness  proof  is 


The  style  of  correctness  proof  for  the  algorithm  appears  to  be  quite  interesting  in  its  own  right. 
The  description  of  the  algorithm  is  presented  in  a  series  of  levels,  each  of  which  is  an  "event-state" 
algebra  with  unary  operations,  and  each  (but  the  first)  of  which  "simulates"  the  previous  one.  The 
basic  problem  statement  is  given  as  the  highest  level  algebra,  and  successively  lower  levels  provide 
increasing  amounts  of  implementation  detail.  In  particular,  both  the  problem  specification  and  the 
implementation  are  presented  as  the  same  kind  of  mathematical  object,  an  event-state  algebra.  At 
every  level,  we  want  to  present  algorithms  with  the  maximum  possible  amount  of  nondeterminism 
consistent  with  correctness,  not  forcing  any  unnecessary  implementation  decisions.  Therefore,  we 
do  not  describe  algorithms  in  the  usual  way,  using  programs  with  specified  flow  of  control.  Rather, 
we  present  algorithms  as  collections  of  events  with  corresponding  preconditions. 

One  novel  aspect  of  the  simulations  we  use,  different  from  the  usual  notions  of  "abstraction" 
mappings,  is  that  our  simulations  map  single  lower  level  states  to  sets  of  higher  level  states,  rather 
than  just  single  higher  level  states.  (We  call  them  "possibilities"  mappings.)  This  extra  flexibility 
seems  quite  convenient  for  many  implementations,  allowing  the  more  "concrete”  algebra  sometimes 
to  contain  less  information  than  the  more  "abstract"  algebra.  For  example,  it  might  be  easy  to  prove 
correctness  of  an  algorithm  which  maintains  lots  of  auxiliary  information.  The  correctness  of  an 
algorithm  which  maintains  less  information  could  be  proved,  in  our  model,  by  showing  that  it 
simulates  the  algorithm  which  maintains  the  auxiliary  information. 

While  possibilities  mappings  are  convenient  for  proving  correctness  of  ordinary  centralized 
algorithms,  they  produce  their  greatest  payoff  for  distributed  algorithms.  Namely,  a  distributed 
algorithm  is  described  as  a  special  case  of  an  event-state  algebra,  a  "distributed  algebra".  In  a 
distributed  algebra,  the  state  set  is  just  a  Cartesian  product,  with  event  preconditions  and  transitions 
defined  componentwise.  To  show  that  a  distributed  algebra  simulates  some  other  "abstract"  algebra, 
it  suffices  to  define  an  appropriate  possibilities  mapping  from  the  global  states  of  the  distributed 
algebra,  to  sets  of  states  of  the  abstract  algebra.  It  turns  out  to  be  extremely  natural  to  describe  such 
a  mapping  by  first  describing  a  possibilities  mapping  from  the  local  state  of  each  component  to  sets  of 
abstract  states.  The  image  of  a  local  state  under  this  mapping  just  represents  the  set  of  possible 
global  states  consistent  with  the  knowledge  of  the  particular  component.  The  possibilities  for  the 
entire  distributed  algebra  are  simply  obtained  by  taking  the  intersection  of  the  possibilities  consistent 
with  the  knowledge  of  all  the  components. 

It  appears  that  this  technique  extends  to  give  natural  proofs  of  many  algorithms,  especially 
distributed  algorithms,  and  thus  warrants  further  investigation.  Goree  [G]  presents  a  more  complete 
(and  slightly  more  general)  development  of  the  technique  than  is  presented  in  this  paper. 
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The  definitions  given  in  this  paper  express  the  most  fundamental  correctness  requirements,  but 
not  subtle  conditions  such  as  correctness  of  orphans'  views.  Issues  of  fairness  and  eventual 
progress  are  not  addressed,  but  rather  only  safety  properties,  serializability  in  particular.  Future  work 
involves  extending  the  framework  presented  here  to  allow  expression  of  these  other  properties,  and 
to  allow  correctness  proofs  for  the  difficult  algorithms  which  guarantee  these  properties.  Some 
further  work  in  these  directions  has  already  been  carried  out:  Goree  [G]  has  given  a  definition  for 
correctness  of  orphans’  views,  and  has  given  a  correctness  proof  for  a  complicated  algorithm  used  in 
the  implementation  of  Argus  to  maintain  correctness  of  orphans'  views  in  the  face  of  transaction 
aborts. 

Other  related  work  is  that  of  Stark  [S].  He  is  carrying  out  a  very  general  treatment  of  event-state 
algebras,  incorporating  considerations  of  modularity  to  a  much  greater  extent  than  is  present  in  this 
paper,  and  handling  fairness  and  eventuality  properties  as  well  as  safety  properties. 


2.  Event-State  Algebras 

In  this  section,  we  describe  the  event-state  algebra  framework. 

An  event  state  algebra  A  =  <A,  a,  fl>,  consists  of  a  set  A  of  states,  an  element  a  €  A,  the  initial 
state,  and  a  set  fl  of  partial  unary  operations.  In  this  paper,  we  will  usually  refer  to  an  event-state 
algebra  as  simply  an  algebra. 

Let  a  be  a  state,  and  let  =  (w1 . irk)  be  any  finite  sequence  of  operations  chosen  from  OP. 

Then  <l>  is  said  to  be  valid  from  a  provided  b  =  wk(irk  1(...(w1(a)).„)  is  defined;  in  this  case,  b  is  called 
the  result  of  <J>  applied  to  a.  An  infinite  sequence  of  operations  is  said  to  be  valid  from  a  provided  all  its 
finite  prefixes  are  valid  from  a.  We  say  that  <!>  is  valid  provided  it  is  valid  from  o,  and  the  result  of  <t>  is 
defined  to  be  the  result  of  <I>  applied  to  a.  We  write  a  I—  b  provided  there  is  some  finite  4>,  valid  from  a, 
for  which  b  is  the  result  of  <J>  applied  to  a.  b  is  computable  provided  ah b. 

Now  assume  A  =  <A,  a,  IT>  and  X  =  <A\  o’,  fl’>  are  two  algebras.  An  interpretation  of  A  by  X 
is  a  mapping  h:  TT  -»  fl  U  {A}.  We  extend  h  to  map  operation  sequences  of  jL  to  operation 
sequences  of  X  in  the  obvious  way  (deleting  occurrences  of  A).  An  interpretation,  h,  is  a  simulation 
of  A  by  X  provided  that  h(4>’)  is  a  valid  operation  sequence  for  A  whenever  4>’  is  a  valid  operation 
sequence  for  A’. 

Lemma  1 :  Assume  that  A,  X  and  A"  are  algebras,  that  h  is  a  simulation  of  A  by  X’ 
and  h’  is  a  simulation  of  X  by  U".  Then  h  0  h’  is  a  simulation  of  A  by  A". 

Proof:  Straightforward. 
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□ 

Next,  we  give  a  sufficient  condition  for  a  mapping  h  to  be  a  simulation.  Let  h:  A’  U  IT  -» 9(A)  U  n 
U  (A)  be  such  that  h(a’)  €  9(A)  for  all  a'  €  A,  and  h  restricted  to  FT  is  an  interpretation.  Then  h  is  a 
possibilities  mapping  from  A'  to  A  provided  the  following  are  true: 

(a)  o  €  h(o’). 

Assume  ir’  €  IT.  Assume  a  and  a'  are  computable  in  A  and  -X’,  respectively,  and  a  €  h(a’). 
Assume  a’  €  domain^’)  and  b'  =  w’(a’). 

(b)  If  h(ir’)  =  v  €  FI,  then  a  €  domain(w)  and  w(a)  €  h(b’). 

(c)  If  h(w’)  =  A,  then  a  €  h(b’). 

Lemma  2:  Let  h  be  a  possibilities  mapping  from  A'  to  X  If  4>'  is  a  valid  operation 
sequence  for  X,  and  h(4>’)  =  <t>,  then  <J>  is  a  valid  operation  sequence  for  A.  In  addition,  if 
<t>’  is  finite,  a’  is  the  result  of  <J>’  and  a  is  the  result  of  <l>,  then  a  €  h(a’). 

Proof:  By  induction  on  the  length  of 

□ 

Lemma  3:  Any  possibilities  mapping  from  A  to  A  is  a  simulation  of  A  by  A'. 

Proof:  Immediate  by  Lemma  2. 

□ 

If  we  think  of  A  as  a  "concrete"  algebra,  and  A  as  a  more  "abstract"  algebra,  then  we  see  that  a 
possibilities  mapping  allows  single  "concrete"  states  to  be  mapped  to  sets  of  “abstract"  states  rather 
than  just  single  abstract  states. 

An  algebra,  A  =  <A,  a,  FI>,  is  said  to  be  distributed  over  a  finite  index  set  I  using  d,  provided  that  A 
is  the  Cartesian  product  of  sets  A.,  i  €  I,  d  is  a  mapping,  d:  FI  -» I,  giving  the  "doer”  of  each  operation, 
and  the  following  two  conditions  are  satisfied. 

-  (Local  Domain)  Let  i  =  d(w).  If  a,  b  €  A  and  a.  =  b.,  then  a  €  domain(w)  if  and  only  if  b  € 
domain(w). 

-  (Local  Changes)  If  a,  b  €  domain(ir),  a’  *  *(a),  b’  *  w(b)  and  a(  =  b,,  then  a'(  »  b’.. 

We  now  consider  the  simulation  of  an  algebra  by  a  distributed  algebra.  Namely,  we  define  a  "local 
mapping",  from  the  local  state  of  each  component  of  the  distributed  algebra  to  a  set  of  abstract 
states.  The  result  of  this  mapping  should  be  thought  of  as  the  set  of  possible  abstract  Mates,  as  far  as 


t 


6 

a  particular  node  can  tell.  The  mapping  from  a  global  state  of  the  distributed  algebra  can  then  be 
defined  to  yield  the  intersection  of  the  images  of  all  the  component  states.  The  conditions  we  require 
for  local  mappings  are  just  those  which  guarantee  that  the  derived  global  mapping  is  a  possibilities 
mapping. 

Let  X  =  <A',  o',  H’>  be  an  algebra,  distributed  over  I  using  d.  Let  A  *  <A,  a,  Fl>  be  any  algebra. 
Let  h  be  an  interpretation  from  X  to  A.  For  each  i  €  I,  let  h.:  A’  — » 9(A)  be  such  that  h.  depends  on  A’, 
only  •  i.e.  if  a(  =  b;  then  h.(a)  =  tv(b).  Then  we  say  that  h  and  tv,  i  €  I,  form  a  local  mapping  from  X  to 
A  provided  the  following  conditions  are  satisfied. 

(a)  For  all  i  €  I,  o  C  h.(c'). 

Assume  o'  €  IT,  d(w)  =  i.  Assume  a  and  a’  are  computable  in  A  and  A',  respectively.  Assume  a  € 
h.(a').  Assumes’ € domain(ir’), and b'  *  ir'(a'). 

(b)  If  h(w’)  =  o  €  FI,  then  a  €  domain(ir). 

(c)  Assume  h(w’)  =  v  €  n,  j  €  I  and  a  €  h.(a’).  Then  w(a)  €  Iv(b’). 

(d)  Assume  h(w')  =  A,  j  €  I  and  a  €  h.(a’),  Then  a  €  h.(b’). 

Lemma  4:  Let  A  and  X  =  <A’,  o',  fl'>  be  algebras,  where  X  is  distributed  over 
I.  Assume  that  h  and  tv,  i  €  I  form  a  local  mapping  from  X  to  A.  Extend  h  to  A’  U  IT  by 
defining  h(a')  =  fl.  ^  (tv(a’).  Then  h  is  a  possibilities  mapping  from  X  to  A. 

Proof:  We  check  the  three  properties  of  the  possibilities  mapping  definition. 

(a)  To  see  that  o  €  h{<r’),  it  suffices  to  show  that  o  €  h.(o’)  for  all  i  E  I.  But  this  is  exactly 
the  statement  of  property  (a)  of  the  local  mapping  definition. 

Now  we  assume  the  hypotheses  supplied  for  parts  (b)  and  (c)  of  the  possibilities 
mapping  definition.  Assume  also  that  d(w’)  *  i. 

(b)  Since  a  €  h(a'),  it  is  obvious  that  a  €  h.(a’).  Property  (b)  of  the  local  mapping 
definition  implies  that  a  €  domain!  w).  in  order  to  show  that  *(a)  €  h(b'),  it  suffices  to  fix  an 
arbitrary  j  €  I  and  show  that  w(a)  €  h.(b').  Since  a  €  h.(a’),  the  needed  property  follows 
from  (c)  of  the  local  mapping  definition. 

(c)  It  suffices  to  show  that  a  €  hj(b’)  for  any  j  €  I.  This  follows  as  in  the  preceding 
argument  from  (d)  of  the  local  mapping  definition. 

□ 
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If  the  definitions  in  this  section  are  to  be  used  in  correctness  proofs  for  the  widest  possible  class 
of  algorithms,  they  will  probably  need  to  be  generalized.  In  particular,  it  seems  appropriate  to  permit 
single  operations  of  a  more  concrete  algebra  to  be  interpreted  by  sequences  of  operations  of  a  more 
abstract  algebra.  (See  Goree  {G]  for  definitions  and  uses  for  this  generalization.)  Also,  sets  of  initial 
states  rather  than  single  initial  states  are  probably  useful. 

3.  Action  T rees 

In  this  section,  basic  definitions  are  given  for  action  trees  and  serializability. 

Let  Qbj  be  a  universal  set  of  data  objects.  For  each  x  6  obj.  let  values(x)  denote  the  set  of  values  x 
can  assume,  including  a  distinguished  initial  value  init(x).  A  value  assignment  is  a  total  mapping,  f, 
from  obj  to  values(obj),  having  the  property  that  f(x)  €  values(x)  for  all  x  €  obj. 

Let  agi  be  a  universal  set  of  actions  (i.e.  transactions).  Let  U  be  a  distinguished  action.  We 
assume  that  the  actions  are  configured  a  priori  into  a  tree,  representing  their  nesting  relationship, 
with  U  as  the  root.  For  every  A  €  act  -  {U},  tet  parent(A)  denote  a  unique  parent  action  for  A.  Let 
siblings  denote  {(A.B)  €  act2:  parent(A)  =  parent(B)}.  If  A  €  act,  let  children(A)  denote  {B  €  act: 
parent(B)  =  A).  If  A,  B  €  act,  let  IcafA.B)  denote  the  least  common  ancestor  of  A  and  B.  If  A  €  act,  let 
desc(A)  (resp.  anc(AU  be  the  set  of  descendants  (resp.  ancestors)  of  A.  Let  proper  desc(A)  (re sp. 
proper  ancfAh  be  the  set  of  proper  descendants  (resp.  ancestors)  of  A. 

It  might  be  convenient  for  the  reader  to  think  of  this  a  priori  configuration  of  all  possible  actions 
into  a  tree  as  a  preassigned  "naming  scheme"  for  actions.  That  is,  the  "name"  of  any  action  is 
assumed  to  carry  within  it  information  which  locates  that  action  in  this  universal  tree  of  actions.  In 
any  particular  execution,  only  some  of  these  possible  actions  will  be  "activated".  The  (virtual)  action 
U,  the  parent  of  all  top-level  actions,  has  been  added  for  the  sake  of  uniformity. 

Let  ssfl  C  siblings  be  any  fixed  partial  order,  representing  sequential  dependency.  If  (A,B)  6  seq, 
it  means  that  A  is  constrained  to  run  before  B.  For  the  sake  of  notational  simplicity,  we  are  assuming 
this  relation  is  also  fixed  a  priori;  this  amount  to  assuming  that  the  "name"  of  any  action  carries  within 
it  information  about  which  siblings  the  action  can  assume  have  completed.  The  use  of  an  arbitrary 
partial  order  is  a  generalization  of  both  the  total  order  usually  specified  for  the  steps  which  occur 
within  a  single-level  transaction,  and  the  unconstrained  order  usually  specified  among  the 
transactions  themselves.  We  also  assume  a  priori  determination  of  which  actions  actually  access 
data,  which  objects  they  access  and  the  functions  they  perform  on  those  objects:  let  accesses  denote 
the  leaves  of  the  tree  described  above.  (We  assume  that  U  C  accesses,  so  that  the  set  of  actions  is 
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nontrivial.)  Let  object:  accesses  — *  obj  be  a  fixed  function.  If  object(A)  =  x,  we  say  that  A  j§  an 
access  tg  x.  For  A  €  accesses,  let  uodate(A):  values(object(A))  — *  values(object(A))  be  a  fixed 
function.  Let  sameobiect  denote  ((A.BI  €  accesses  2:  object (A^  =  object(B)}. 

I  am  departing  from  the  usual  approach  in  serializability  theory  by  including  a  particular  function 
(rather  than  an  uninterpreted  function)  in  the  definition  of  an  action  which  accesses  data.  This  is 
because  I  want  to  state  correctness  conditions  in  terms  of  preserving  certain  relationships  among  the 
data  values  seen  and  written.  This  "semantic"  style  of  correctness  condition  seems  to  me  to  be  more 
basic  than  the  usual  correctness  definitions  in  serializability  theory,  in  that  it  says  less  to  constrain  the 
implementation. 

Note  that  the  usual  read  and  write  operations  of  serializability  theory  can  be  regarded  as  special 
cases  of  my  accesses.  Namely,  "read  accesses"  have  the  identity  function  as  their  associcated 
update  function,  while  "write  accesses"  have  an  associated  update  function  which  is  a  constant 
function. 

Next,  I  give  a  way  of  describing  a  "snapshot"  of  a  particular  execution,  using  a  structure  called  an 
"action  tree".  An  action  tree  can  be  regarded  as  the  generalization  of  the  log  from  ordinary 
serializability  theory. 

An  action  tree  T  has  components  verticesr  activer  committedr  abortedT  and  labelr  where 

-  verticesT  is  a  finite  subset  of  act,  closed  under  the  parent  operation:  if  A  €  vertices.,.  •  {U},  then 
parent(A)  €  verticesT,  (These  represent  the  actions  which  have  ever  been  created  during  the  current 
execution.) 

-  activeT,  committedT  and  aborted.,  comprise  a  partition  of  vertices.,,  (These  classifications 
indicate  the  current  status  of  each  action  that  has  ever  been  created.  When  a  non-access  action  is 
first  created,  it  is  classified  as  active.  At  some  later  time,  its  classification  can  be  changed  to  either 
committed  or  aborted.  By  "committed",  we  mean  that  the  action  is  committed  relative  to  its  parent, 
but  not  necessarily  committed  permanently.  Permanent  commit  of  an  action  would  be  represented  by 
classification  of  all  ancestors  of  the  action,  except  for  U,  as  committed.) 

-  label.,:  datastepsT  -»  values(obj),  (where  datastepsT  =  committed.,  D  accesses),  with  labelT(A) 
€  values  (object(A)).  (The  label  of  an  access  to  an  object  is  intended  to  represent  the  value  read  by 
that  access.  Since  the  access  has  an  associated  function,  the  value  which  the  access  writes  into  the 
object  is  deducible  from  the  value  read,  and  therefore  need  not  be  explicitly  represented.) 


Let  done.,  denote  committed  T  U  aborted,.  Let  status,  be  defined  by  status,(A)  =  'active'  (resp. 
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committed’,  aborted  )  provided  A  £  activeT  (resp.  committed.,.,  abortedT).  Let  accesses.,  =  vertices., 
ft  accesses,  accesses,(x)  =  {B  €  accessesT:  object(B)  =  x},  and  datasteos,(x)  =  {B  €  datastepsT: 
object(B)  =  x}.  Let  denote  seq  H  (vertices,)2 

Next,  we  describe  actions  whose  existence  is  intended  to  be  known  to  other  actions  (i.e.  not 
masked  from  those  other  actions  by  intervening  failures  or  active  actions).  For  A  €  verticesT,  let 
visibleT(A)  denote  {B  €  vertices.,  :  anc(B)  ft  properdesc(lca(A,B))  C  committed.,}.  That  is, 
visible,(A)  is  just  the  set  of  actions  whose  existence  is  known  to  action  A,  because  they  and  all  their 
ancestors,  up  to  and  not  including  some  ancestor  of  A,  have  committed.  For  A  €  verticesT,  x  £  obj,  let 
visibleT(A,x)  denote  visible,(A)  D  datasteps,(x).  The  following  lemma  describes  elementary 
properties  of  "visibility”. 

Lemma  5:  Let  T  be  an  action  tree,  A,  B,  C  €  vertices,. 

a.  If  A  £  desc(B),  then  B  £  visibleT(A). 

b.  A  £  visibleT(B)  if  and  only  if  A  £  visibleT(lca(A,B)). 

c.  If  A  £  visib!eT(B)  and  B  £  visibleT(C),  then  A  £  visibleT(C). 

d.  If  A  £  desc(B)  and  C  £  visibleT(B),  then  C  £  visible7(A). 

e.  If  A  £  desc(B)  and  A  €  visibleT(C),  then  B  £  visibleT(C). 

Proof: 

a.  Immediate. 

b.  Immediate  from  the  fact  that  lca(A,B)  =  lca(A,lca(A,B)). 

c.  Let  D  €  anc(A)  D  proper-desc(lca(A,C)).  We  must  show  that  D  £ 
committed.,.  If  D  £  properdesc(lca(A,B)),  then  the  fact  that  A  £  visible,(B) 
implies  the  result.  So  assume  that  D  (  proper  desc(lca(A,B)).  It  must  be  the 
case  that  D  €  anc(lca(A,B)),  and  that  lca(B.C)  =  lca(A,C).  Thus,  D  £  anc(B) 

D  proper-desc(lca(B,C)),  so  the  fact  that  B  €  visible,(C)  implies  the  result. 

d.  Immediate  from  parts  a  and  c. 

e.  Immediate  from  parts  a  and  c. 


□ 
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If  A  €  verticesT,  then  we  say  A  is  livg  in  T  provided  anc(A)  D  abortedT  =  0,  and  we  say  A  i§  dead 
in  T  otherwise. 

Lemma  6:  If  A,  B  6  verticesT,  A  is  live  in  T,  and  B  £  visibleT(A),  then  B  is  live  in  T. 

Proof:  If  B  is  dead  in  T,  then  there  exists  C  £  anc(B)  fl  abortedr  We  know  C  <[ 
proper  descficafA.B)),  since  B  £  visibleT(A).  Thus,  C  €  anc(lca(A,B))  C  anc(A),  so  A  is 
dead  in  T,  a  contradiction. 

□ 

If  x  £  obj  and  s  is  a  finite  sequence  of  datasteps,  then  we  define  resultfx, s)  as  follows.  If  s  is  the 
empty  sequence,  then  result(x.s)  =  init(x).  Otherwise,  let  s  =  s'A.  Then  result(x,s)  = 
update(A)(result(x, s'))  if  A  involves  x,  =  resultfx, s')  otherwise. 

If  S  is  a  set,  and  <  is  a  total  order  on  the  elements  of  S,  then  we  let  «S;  <»  denote  the  sequence 
consisting  of  the  elements  of  S,  in  the  order  given  by  <. 

Let  T  be  an  action  tree.  A  partial  order  p  C  siblings  is  linearizina  for  T  provided  p  totally  orders  all 
siblings  in  T.  A  linearizing  partial  order  p  induces  a  total  order,  inducedT  ,  on  datastepsT,  in  the 
obvious  way.  If  A  £  datastepsT(x)  and  p  is  a  linearizing  partial  order  for  T,  let  predsT  ^(A)  denote  «{B 
£  visibleT(A,x):  (B.A)  £  induced,  and  B  *  A};  induced.  ». 

■  I  ,P  I 

A  linearizing  partial  order  p  for  T  is  said  to  be  a  serializing  partial  order  for  T  provided  p  is 
consistent  with  seq,  and  labe!T(A)  =  resultfx, predsJ  p(A)),  for  all  A  £  datastepsT(x).  T  is  said  to  be 
serializable  provided  there  exists  some  serializing  partial  order  for  T. 

Stating  the  simplest  correctness  requirements  only  requires  consideration  of  actions  whose 
effects  become  "permanent".  Therefore,  we  restrict  attention  to  a  portion  of  T,  as  follows.  A  new 
action  tree  perm(T)  is  defined  as  follows. 

•  verticeSp^^  =  visibleT(U).  (Lemma  5e  shows  that  perm(T)  is  a  tree.) 

•  If  A  €  verticesperm(T) ,  then  status^^^jfA)  =  statusT(A). 

If  A  €  datastepsperm(T) ,  then  label^^fA)  =  labelT(A). 

Lemma  7:  If  T  is  an  action  tree  and  A,  B  £  vertices^  ,T.,  then  B  €  visible  ...(A). 

perm(T)  perm(T )'  ' 

Proof:  Since  B  £  verticesperm<T)  *  visibleT(U),  Lemma  5d  implies  that  B  €  visibfeT(A). 

Then  B  €  visible  ^(A),  since  the  status  of  each  vertex  is  the  same  in  T  and  perm(T). 

□ 
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We  will  require  that  any  tree  T  created  by  our  algorithm  have  perm(T)  serializable. 

Note  that  the  style  in  which  serializability  is  defined  here  constrains  the  implementation  less  than 
the  type  of  definition  used  in  "traditional”  concurrency  control  theory.  The  earlier  definitions  regard 
the  data  as  external  to  the  concurrency  control  algorithm;  the  algorithm  is  to  take  requests  for  data 
accesses  and  translate  them  into  actual  accesses,  observing  appropriate  rules.  Generally,  the 
accesses  performed  by  the  concurrency  control  algorithm  simply  obtain  the  latest  version  of  the  data 
object.  A  clue  that  the  earlier  definitions  are  too  constraining  is  that  they  do  not  apply  unchanged  to 
algorithms  such  as  Reed's,  which  use  sophisticated  management  of  versions  of  the  data.  The  earlier 
definitions  require  extensions  [KP,  BG]  to  handle  algorithms  such  as  Reed’s.  These  extensions  still 
regard  the  data  as  external  to  the  concurrency  control  algorithm,  and  so  the  modified  correctness 
conditions  contain  explicit  information  about  particular  "versions"  of  the  data  objects.  It  seems  to 
me,  however,  that  the  appearance  of  serializability,  in  terms  of  the  values  seen  by  the  accesses,  is 
really  all  that  matters  •  it  is  possible  that  this  appearance  could  be  preserved  by  some  algorithm  which 
does  not  operate  in  terms  of  versions  at  all. 

The  less  constraining  approach  which  is  taken  here  is  to  regard  the  data  as  internal  to  the 
concurrency  control  algorithm,  at  least  for  the  purpose  of  stating  the  basic  correctness  conditions. 
Thus,  the  definitions  introduced  in  this  paper  are  intended  to  be  applicable  to  algorithms  which  use 
single  versions  of  data  objects,  algorithms  that  use  multiple  versions  of  data  objects,  as  well  as  to 
other  implementations  as  yet  unforeseen. 


4.  An  Algebra  Based  on  Action  Trees 

We  now  define  a  set  of  operations  on  action  trees.  That  is,  we  define  an  algebra  JL  =  <A,  o,  n>, 
where  A  is  the  set  of  action  trees,  a  is  the  trivial  action  tree  with  the  single  vertex  U,  with  status 
'active',  and  fl  contains  the  four  kinds  of  operations  described  in  (a)-(d)  below.  We  define  the 
operations  as  follows.  First,  we  let  C  denote  the  set  of  all  action  trees,  T,  for  which  perm(T)  is 
serializable.  (In  particular,  a  €  C.)  We  constrain  the  ranges  of  all  of  the  operations  to  be  subsets  of 
C.  Within  this  constraint,  we  define  the  domain  by  giving  a  precondition  on  action  trees  T,  and  use 
assignment  notation  to  describe  the  effect  of  the  operation  on  T. 

In  all  operations,  we  assume  that  A  €  act  •  {U}. 

(a)  createA 

(al)  Precondition 

(all)A(verticesT. 
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(a12)  parent(A)  €  vertices.,.  ■  committedr 
(al3)  If  (B,A)  €  seq  and  B  *  A,  then  B  €  doner 

(a2)  Effect 

(a21)  verticesT «—  verticesT  U  {A}. 

(a22)  statusT(A) «—  ’active’. 

(b)  commitA,  A  t  accesses 

(bl)  Precondition 

(bll)  A  €  activer 

(bl  2)  children(A)  ft  verticesT  C  doner 
(b2)  Effect 

(b2l)statusT(A) <—  'committed’. 


(c)  abortA 

(cl)  Precondition 

(cl  1)  A  €  activer 

(c2)  Effect 

(c21)statusT(A)  «-  ’aborted’. 

(d)  performA  u,  A  €  accesses,  x  =  object(A),  u  €  values(x) 

(dl)  Precondition 

(dll)  A  €  activer 

(d2)  Effect 

(d2l)  status^A)  ♦-  ’committed’. 

(d22)  labetT(A)  -  u. 


5.  Augmented  Action  Trees 

The  definitions  which  make  specific  reference  to  versions  are  still  useful  in  conjunction  with  the 
approach  of  this  paper.  Their  role  is  in  supplying  sufficient  conditions  for  serializability,  and  thereby 
helping  to  organize  correctness  proofs. 

tn  this  section,  a  new  structure  called  an  "augmented  action  tree”  is  defined.  Augmented  action 
trees  are  just  action  trees  with  a  little  additional  information.  Namely,  in  the  spirit  of  the  earlier 
definitions,  some  information  is  added  which  describes  a  sequence  of  versions  for  each  data  object. 
Serializability  is  defined  for  augmented  action  trees.  It  is  seen  that  serializability  for  augmented  action 
trees  implies  serializability  for  corresponding  action  trees.  Moreover,  serializability  for  augmented 
action  trees  has  a  cycle-free  characterization  similar  to  those  in  usual  concurrency  control  theory. 


13 


Thus,  this  structure  can  be  useful  in  proofs  of  serializability  for  action  trees. 

An  augmented  action  tree  (AAT),  T,  is  a  pair  (S,D),  where  S  is  an  action  tree  and  D  C  sameobjectg 
is  a  partial  order  on  datastepss  which  totally  orders  the  datasteps  for  each  object.  In  this  case,  we 
write  data.,  for  D.  We  extend  action  tree  notation  to  T;  for  example,  we  write  datasteosT  to  denote 
datastepss.  If  T  is  an  AAT,  then  let  siblina-dataT  denote  {(A,B)  €  siblings:  (C,D)  €  dataT  for  some  C  € 
desc(A),  D  €  desc(B)}.  If  A  €  datastepsT(x),  then  let  v-dataT(AI  denote  {B  €  visibleT(A,x):  (B,A)  € 
dataT  and  B  *■  A}. 

The  following  is  a  technical  lemma  needed  for  the  characterization  theorem. 

Lemma  8:  Let  T  be  an  AAT.  If  there  is  a  cycle  of  length  greater  than  one  in  seq  U 
sibling  data.,,  then  there  is  a  cycle  of  length  greater  than  one  in  seqT  U  sibling-data,. 

Proof:  Assume  not.  Choose  a  cycle,  C,  of  minimum  length  greater  than  one,  in  seq  U 
sibling  data.,.  There  must  be  an  action,  A,  on  C  with  A  C  verticesr  Let  (B,A)  and  (A,C)  be 
the  two  pairs  on  C  involving  A.  Then  both  pairs  are  elements  of  seq.  Thus,  (B,C)  €  seq  and 
B  *  C,  since  seq  is  a  partial  order.  Removing  A  from  C  leaves  a  cycle  with  at  least  two 
elements  (B  and  C).  having  one  fewer  element  than  C.  This  contradicts  the  minimality  of  C. 

□ 

If  T  =  (S,D)  is  an  AAT,  then  erase(T)  is  just  the  action  tree  S.  We  extend  the  definitions  of  visible. 
live,  dead,  linearizing,  induced,  oreds  and  serializable  to  an  AAT,  T,  by  applying  them  to  erase(T).  An 
AAT,  T,  is  data-serializable  provided  there  exists  p,  a  serializing  partial  order  for  T,  with  the  additional 
property  that  induced.,.  p  is  consistent  with  datar  Data-serializability  for  AAT’s  provides  a  sufficient 
condition  for  correctness. 

Lemma  9:  Let  T  be  an  AAT.  Let  p  be  a  linearizing  partial  order  for  T,  x  €  obj,  and  A  € 
datastepsT(x).  Assume  that  induced.,  p  is  consistent  with  datar  Then  predsTp(A)  * 
«v-dataT(A);  dataT». 

Proof:  Straightforward. 

□ 

Data-serializability  for  AAT's  has  a  cyck  tree  characterization.  First,  we  give  a  definition  which 
says  that  the  label  of  each  access  describes  the  correct  object  value  which  the  access  should  see,  if 
the  versiohs  of  objects  are  ordered  according  to  the  data,  order.  Formally,  an  AAT  is 
version-comoatible  provided  for  every  x  €  obj,  and  every  A  €  datastepsT(x),  it  is  the  case  that 
labelT(A)  «  result(x.s),  where  s  «  «v-dataT(A);  data,». 

Theorem  10:  An  AAT.  T,  is  data-serializable  if  and  only  if  both  of  the  following  are 
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true: 


a.  T  is  version  compatible. 

b.  There  are  no  cycles  of  length  greater  than  one  in  seqT  U  sibling-data.,.. 

Proof:  Assume  T  is  data  serializable,  and  obtain  p,  a  serializing  partial  order  for  T  for 
which  induced,,  is  consistent  with  datar 

a.  Let  A  €  datastepsT(x),  s  =  «v-data,(A);  dataT».  Then  labelT(A)  * 
result(x,predsT  p(A)),  by  the  definition  of  serializability,  =  result(x.s),  by 
Lemma  9. 

b.  seqT  U  sibling  data,  C  p.  Thus,  there  are  no  cycles  of  length  greater  than 
one  in  seq,  U  sibling-data,. 

Now  assume  a.  and  b.  Lemma  8  implies  that  there  are  no  cycles  of  length  greater  than 
one  in  seq  U  sibling-data,.  Let  p  be  any  partial  order  which  totally  orders  all  siblings  and 
is  consistent  with  seq  U  sibling-data,.  Then  p  is  linearizing  for  T,  ai»_  induced, p  is 
consistent  with  data,.  We  will  show  that  p  is  a  serializing  partial  order  for  T.  Let  x  €  obj,  A 
€  datasteps,(x).  We  must  show  that  label,(A)  =  resultfx.preds,  p(A)).  Since  T  is  version- 
compatible.  we  know  that  label, (A)  =  result(x,s),  where  s  =  «v-data,;  data,».  Then 
Lemma  9  implies  that  s  =  preds,  p(A),  as  needed. 

□ 

6.  An  Algebra  Based  on  Augmented  Action  Trees 

In  order  to  prove  that  an  algorithm  generates  only  correct  operation  sequences,  it  is  helpful  to 
include  the  additional  information  present  in  AAT’s.  Thus,  we  define  operations  on  AAT’s, 
analogously  to  the  definitions  for  action  trees.  Once  again,  we  carry  out  the  definitions  within  the 
algebra  framework  defined  earlier.  We  define  a  new  algebra  A'  =  <A’,  o’,  IT>,  where  A’  is  the  set  of 
AAT’s,  o’  is  the  trivial  AAT  which  has  a  single  vertex  U  with  status  ’active’,  and  the  operations  in  IT 
correspond  closely  to  the  operations  of  A,  and  are  designated  by  the  same  names.  (We  will  rely  on 
context  to  distinguish  the  two  cases.)  The  only  differences  are  that  there  is  no  global  constraint 
corresponding  to  C,  and  performA  y  introduces  two  additional  preconditions  and  an  additional 
change.  These  new  conditions  can  be  thought  of  as  capturing  the  abstract  effect  of  a  variant  of 
Moss'  locking  algorithm. 


(dl)  Precondition 
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(d12)  Let  8  €  data$tepsT(x),  Q  live  in  T.  Then  B  £  visibleT(A,x). 

(dl3)  If  A  is  live  in  T,  then  u  =  result(x,s),  where  s  =  «visibleT(A,x);  data,». 

(d2)  Effect 

(d23)  dataT  —  dataT  U  {(B,A):  B  €  datastepsT(x)}  U  {(A, A)}. 

Lemma  1 1 :  If  T  is  computable  in  A\  then  the  following  are  true. 

a.  If  A  €  vertices.,,  and  parent(A)  €  committedr  then  A  €  done,. 

b.  If  A  £  verticesT  and  (B,A)  £  seq  and  B  *  A,  then  B  €  done,. 

c.  U  €  active,. 

d.  If  (B,A)  €  dataT,  then  either  B  is  dead  in  T,  or  else  B  €  visibleT(A). 

e.  If  A  £  committed.,  and  B  £  desc(A)  D  vertices.,  then  either  B  is  dead  in  T  or 
else  B  €  visibleT(A). 

Proof:  Most  of  the  arguments  are  straightforward.  We  argue  cases  d.  and  e. 

d.  If  B  =  A,  the  result  is  immediate.  If  B  *  A,  then  the  only  way  we  get  (B,A)  £  data.,  is 
by  virtue  of  some  performA  u  event.  That  is.  there  exists  T’  such  that  T’  I—  T,  such  that  the 
precondition  for  some  step  perform A  u  is  satisfied  in  T'.  Thus,  B  is  dead  in  T'  or  B  £ 
visible,.(A).  Therefore,  B  is  dead  in  T  or  B  £  visibleJA). 

e.  If  B  =  A,  the  result  is  immediate.  So  assume  A  *  B.  Let  A  £  committed.,,  B  £ 
desc(A)  fl  vertices.,,  B  live  in  T,  and  B  €  visibleT(A).  Then  there  exist  C,  D  €  desc(A)  D 
anc(B),  for  which  C  =  parent(D),  C  £  committed.,  and  D  £  active.,.  But  this  contradicts 
part  a. 

□ 

Lemma  1 2:  Let  T  and  T’  be  computable  in  A',  and  assume  that  T  I—  T’. 

a.  vertices.,  C  vertices,,,  committed.,  C  committed.,.,  aborted.,  C  abortedr,  and 
dataT  C  dataT,. 

b.  If  A  €  datasteps,  then  labelT(A)  =  labelr(A). 

c.  If  A  £  datasteps,  and  (B,A)  £  data.,, ,  then  (B,A)  £  data,. 

d.  If  A  €  vertices,,  then  visible, (A)  C  visibler(A). 
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e.  If  A  €  vertices  and  A  is  live  in  T\  then  A  is  live  in  T. 

f.  If  A  =  parent(B)  and  A  €  committed.,,  and  B  €  verticesT, ,  then  B  €  done.,. 

Proof:  The  only  case  that  takes  some  arguing  is  f.  Let  A  =  parent(B),  A  €  committed, 
and  B  €  vertices,, .  Let  T'  be  the  result  of  $  applied  to  T,  and  let  T  be  the  result  of  ♦.  Then 
♦  contains  a  step  w  of  the  form  commitA,  and  contains  a  step  p  of  the  form  createB. 
m  cannot  precede  p,  since  the  precondition  for  p  would  be  violated.  So  p  precedes  *■ 

Then  the  precondition  for  v  implies  that  B  €  doner 

□ 

Note  that  there  is  no  correctness  condition  for  AAT's  explicitly  mentioning  serializability.  This  is 
because  for  AAT's,  computability  alone  is  sufficient  to  guarantee  serializability  of  perm(T),  as  we 
show  in  the  next  theorem. 

Lemma  1 3:  If  T  is  computable  in  then  perm(T)  is  version-compatible. 

Proof:  Let  A  €  datastepspefm(T)(x).  We  must  show  that  u  ( =  label  ^.(A))  * 
result(x.s),  where  s  =  <<v  dataperm(T)(B);  data  perm(T)»'  A  is  'nserted  into  the  tree  by  a 
performA  u  step  w,  so  let  the  operation  sequence  producing  T  be  written  as  ♦w*.  Let  T’ 
denote  the  result  of  <t>,  and  T"  the  result  of  «J>w.  The  preconditions  for  v  show  that 
labelT..(A)  =  result(x,s'),  where  s’  =  «visibler(A,x);  dataT.».  By  Lemma  12b  and  the 
definition  of  perm(T),  it  follows  that  label^^M  *  result(x.s’).  Thus,  it  suffices  to  show 
that  s  =  s'.  Since  both  data,.  and  dataperm(T)  are  consistent  with  dataT  it  suffices  to  show 
that  s  and  s'  contain  the  same  elements. 

First,  let  B  €  s.  Then  (B,A)  €  data,  and  so  by  Lemma  12c,  B  €  datasteps,..(x).  Since  A 
is  the  only  element  in  T”  which  is  not  in  T',  B  €  datastepsT,(x).  Since  A  €  verticesperm^  = 
visibleT(U),  and  U  4  aborted.,  (by  Lemma  11),  it  follows  that  A  is  live  in  T.  Since  B  € 
visibleT(A),  Lemma  6  shows  that  B  is  live  in  T.  Thus,  B  is  live  in  T’,  by  Lemma  12e.  The 
precondition  for  w  implies  that  B  €  visibler(A,x),  so  B  €  s’. 

Conversely,  suppose  B  €  s’.  Then  B  *  A  since  A  C  verticesT,.  Then  (B,A)  €  datar„  so 
by  Lemma  12a,  (B,A)  6  data,.  By  Lemma  12d,  B  €  visibleT(A,x).  By  Lemma  7,  it  suffices  to 
show  that  B  €  vertices =  visibleT(U).  But  B  C  visibleT(A)  and  A  €  visibleT(Lf),  so 
Lemma  5c  suffices. 

□ 

Lemma  1 4:  If  T  is  computable  in  J.’,  then  there  are  no  nontrivial  cycles  in  seq^^  U 
sib'infldatap^. 

Proof:  Assume  the  contrary:  let  (oAr-,\  *  o),  k  >  2,  be  a  minimum  length  cycle 
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such  that  (A.,Aj  + ,)  G  seqperm(T)  U  sibling-data^^  for  all  i.  0  <  i  <  k-1 .  Let  a  sequence 
<t>  of  operations  be  defined  so  that  T  is  the  result  of  <t>.  We  will  show  that  for  each  i,  0  <  i  < 
k-1,  there  exists  a  prefix  of  «t»  such  that  if  T*  is  the  result  of  'k,  then  A(  €  doneT, ,  and 
A,  + ,  G  doneT,.  If  we  fix  i  for  which  'k  is  of  maximum  length,  and  let  T’  be  the  result  of  this 
'k,  then  we  see  that  Aj  + 1  G  doneT..  But  1  is  no  longer  than  so  Lemma  12a  implies 
that  A,  + ,  €  doneT. ,  which  is  a  contradiction.  j 

Fix  i.  If  (A  ,A  ,)  €  seq  then  <l>  has  a  prefix  where  w  is  a  create.  I 

'  t  i+1  ^perm(T;  Ai  ♦  1 

operation.  Let  T’  be  the  result  of  'k.  The  preconditions  for  v  imply  that  A,  €  doneT,.  Thus,  j 

'k  =  '{'suffices.  j 
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Now  assume  that  (Aj,Aj  +  1)  €  sibling-data^^.,,.  Then  there  exist  B  €  descfA,),  C  G 
desc(A.+ ,)  with  (B,C)  €  dataperm(T).  Since  B,  C  G  vertices^^,.,,,  it  follows  that  (anc(B)  U 
anc(C))  fl  proper-desc(U)  C  committed.,.  Now,  <l>  has  a  prefix  ♦w,  where  w  is  a 
perform,  step.  Let  T’  be  the  result  of  'k,  and  T"  the  result  of  'kw  Lemma  12c  implies 

UfU 

that  (B,C)  €  dataT„,  so  that  B  G  datastepsT,.  Since  B  is  live  in  T  (using  Lemma  11c), 
Lemma  12e  implies  that  B  is  live  in  TV  Then  the  precondition  for  n  implies  that  B  G 
visibleT.(C),  which  means  that  A.  G  anc(B)  fl  proper-desc(lca(B,C))  C  committed^  C 
doneT..  We  must  show  that  Aj  +  1  G  doneT.;  if  we  can  do  this,  then  taking  'k.  =  »k  yields  the 
result.  Assume  Aj  +  1  G  doneT..  Then  let  D  be  the  lowest  ancestor  of  C  for  which  D  6 
doner  ,  it  must  be  the  case  that  D  G  anc(C)  ft  proper  desc(tca(B,C))  C  committed.,,  so  D  6 
committed.,,.  Since  C  €  verticesr  ,  we  know  that  D  *  C.  Let  E  be  the  single  element  of 
children(D)  fl  anc(C).  Then  E  G  doner-  Then  E  G  verticesT  by  Lemma  12f.  This  means  C 
G  verticesr  This  is  a  contradiction. 


Theorem  15:  If  T  is  computable  in  U’,  then  perm(T)  is  data-serializable. 
Proof:  Immediate  from  Lemma  13,  Lemma  14  and  Theorem  10. 


Next,  we  show  that  it  is  sufficient  to  restrict  attention  to  correctness  of  operation  sequences  for 
AAT’s.  We  define  a  mapping  h  from  jC  to  .A  as  follows.  If  T  is  an  AAT,  then  h(T)  *  {erasefT)}.  If  *  is 
in  IT,  then  h(w)  is  just  the  operation  in  fl  with  the  same  name. 

Lemma  1 6:  h  is  a  simulation  of  JL  by  .4'. 

Proof:  (a)  and  (c)  are  immediate.  To  see  (b),  the  first  conclusion  follows  immediately 
from  the  fact  that  a'  G  domain(w')  (since  only  additional  constraints  are  added  for  X);  note 
that  Theorem  15  implies  that  the  C-constraint  is  always  satisfied.  The  second  conclusion 
is  then  straightforward.  Thus,  h  is  a  possibilities  mapping.  Lemma  3  shows  that  h  is  a 
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simulation. 

□ 

7.  An  Algebra  Based  on  Version  Maps 

In  this  section,  we  introduce  another  data  structure.  This  one  records,  for  each  object  and  action, 
the  sequence  of  accesses  to  the  object  whose  result  is  available  to  the  action. 

A  version  map  is  a  partial  mapping  V  from  obj  x  act  to  sequences  of  accesses,  such  that  the 
following  properties  are  satisfied: 

-  V(x,U)  is  defined  for  all  x, 

-  each  V(x,A)  consists  of  accesses  to  x, 

-  for  each  x,  if  V(x,A)  and  V(x,B)  are  both  defined,  then  either  A  €  desc(B)  or  B  €  desc(A), 

if  V(x,A)  and  V(x,B)  are  both  defined  and  B  €  desc(A),  then  V(x,B)  is  an  extension  of  V(x,A). 

If  A  is  the  least  action  for  which  V(x,A)  is  defined,  then  we  call  A  the  principal  action  for  x  in  V;  in 
this  case,  if  resultfx, V(x,A)j  =  u,  we  say  that  u  is  the  principal  value  of  x  in  V. 

We  define  another  algebra,  A"  =  <A",  o",  n”>,  as  follows.  A”  is  the  set  of  pairs  (T,V),  where  T  is 
an  AAT  and  V  is  a  version  map.  o"  consists  of  the  trivial  AAT  consisting  of  a  single  node  U  with  status 
’active',  and  the  version  map  which  has  V(x,U)  equal  to  the  empty  sequence,  for  all  x,  and  is  otherwise 
undefined.  FT  consists  of  the  six  operations  defined  below  in  (a)-(f). 

In  all  the  operations  to  follow,  we  assume  that  A  €  act  ■  {U}.  Operations  (a)-(c)  are  identical  to 
(a)-(c)  of  A'. 

(d)  perform .  .  A  €  accesses,  x  =  object(A),  u  €  values(x) 

A,U 

(dl)  Precondition 

(d  1 1 )  A  €  activeT. 

(d12)  {B:  V(x,B)  is  defined}  C  proper  anc(A). 

{dl  3)  u  is  the  principal  value  of  x  in  V. 

(d2)  Effect 

(d21)statusT(A)  ♦-  'committed’. 

(d22)  labelT(A)  *-  u. 

(d23)  dataT  «-  dataT  U  {(B,A):  B  6  accesses^)}  U  {(A, A)}. 

(d24)  V(x,A) «—  V(x,B)  0  (A). 
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(e)  release-lock A  x,  x  €  obj 

(el)  Precondition 

(ell)  V(x,A)  is  defined. 

(el  2)  A  €  committedr 

(e2)  Effect 

(e21)  V(x,parent(A)) «-  V(x,A). 

(e22)  V(x,A)  <-  undefined. 

(f)  lose-lockA  x,  x  €  obj 

(fl)  Precondition 

(fll)  V(x,A)  is  defined. 

(f12)  A  is  dead  in  T. 

(f2)  Effect 

(f2l)  V(x,A)  <-  undefined. 

Lemma  1 7:  If  (T,V)  is  computable  in  .X”,  then  the  following  are  true. 

a.  If  V(x,A)  is  defined,  then  A  €  vertices^.. 

b.  If  B  €  datastepsT(x)  and  B  is  live  in  T,  then  there  exists  A  €  anc(B)  with  V(x,A) 
defined  and  B  an  element  of  V(x,A). 

c.  If  V(x,A)  is  defined,  then  each  element  of  V(x,A)  is  in  visibleT(A). 

d.  If  V(x,A)  is  defined,  then  the  elements  of  V(x,A)  are  in  dataT  order. 

Proof:  Straightforward.  We  argue  b.,  for  example.  Immediately  after  an  operation 
perform0  u  occurs,  we  see  that  V(x,B)  is  defined,  and  B  €  V(x,B).  Assume  inductively  that 
there  is  some  ancestor,  C,  of  B  with  V(x,C)  defined  and  B  €  V(x,C).  Since  B  remains  live, 
there  are  no  steps  of  the  form  lose-lockr  .  Thus,  if  V(x,C)  is  ever  changed,  it  must  be 
because  of  a  release-lock  step.  There  are  two  possibilities.  First,  the  change  could  occur 
because  of  a  release-lockc  x  step.  But  such  a  step  causes  V(x,parent(C))  to  take  on  the 
old  value  of  V(x,C),  thereby  preserving  the  needed  property.  Second,  the  change  could 
occur  because  V(x,C)  gets  redefined  to  be  the  previous  value  of  V(x,D),  where  D  € 
children(C).  But  because  the  successive  sequences  are  extensions  of  each  other,  B  is  an 
element  of  V(x,D)  as  well.  Thus,  the  needed  property  is  preserved  in  this  case  also. 

□ 

Define  a  mapping  h’  from  J."  to  JL'  as  follows,  h’  maps  (T,V)  to  {T},  and  maps  operations  (a)-(d)  to 
operations  of  the  same  name,  and  operations  (e)  and  (f)  to  A. 
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Lemma  18:  h'  is  a  simulation  of  JC  by  JL". 

Proof:  It  suffices  to  show  that  h'  is  a  possibilities  mapping.  The  first  and  last  properties 
are  easy  to  check.  We  consider  the  second  property.  Let  v '  £  FI”,  where  h'fw’)  *  *  €  IT. 
Then  v'  is  either  of  the  form  createA,  commitA,  abort A  or  performA  .  In  the  first  three 
cases,  the  second  property  is  easy  to  check.  So  assume  that  v'  is  of  the  form  perform.  . 
Assume  (T,V)  is  computable  in  JL"  and  v'  is  defined  on  (T.V),  yielding  (T’,V’).  We  must 
show  that  perform  A  (i.e.  the  operation  of  J.’)  is  defined  on  T.  Let  x  =  object(A). 

Condition  (dll)  for  JL'  follow  immediately  from  the  corresponding  condition  for  J.”. 
We  consider  (dl2).  Let  B  €  datastepsT(x),  and  assume  that  B  is  live  in  T.  Since  (T,V)  is 
computable  in  .A",  Lemma  17  implies  that  there  is  some  C  €  anc(B)  for  which  V(x,C)  is 
defined  and  for  which  B  is  an  element  of  V(x,C).  Then  Lemma  17  implies  that  B  € 
visibleT(C).  Since  v'  is  defined  on  (T.V),  (d12)  for  JL"  implies  that  C  €  anc(A).  Since  A  € 
verticesT  Lemma  5  implies  that  B  €  visibleT(A),  as  needed. 

Next,  we  consider  (dl3).  Assume  A  is  live  in  T,  and  let  s  =  «visibleT(A,x);  dataT».  We 
must  show  that  u  =  result(x.s).  Let  B  be  the  principal  action  for  x  in  V.  Condition  (dl3)  for 
jL"  implies  that  u  =  resu!t(x,V(x,B)).  It  suffices  to  show  that  s  and  V(x,B)  are  identical. 
Since  the  elements  of  V(x,B)  are  in  dataf  order  (by  Lemma  17),  it  suffices  to  show  that  s 
and  V(x,B)  contain  the  same  set  of  elements. 

First  assume  C  is  in  s,  i.e.  C  £  visibleT(A,x).  Since  A  is  live  in  T.  Lemma  6  implies  that  C 
is  live  in  T.  Then  Lemma  17  implies  that  there  exists  D  £  anc(C)  for  which  V(x,D)  is  defined 
and  C  is  an  element  of  V(x,D).  Since  B  is  the  principal  element  for  x  in  V,  the  sequence 
extension  property  of  the  definition  of  version  maps  implies  that  C  is  also  an  element  of 
V(x,B). 

Conversely,  assume  that  C  is  an  element  of  V(x.B).  Lemma  17  implies  that  C  € 
visibler(B).  Condition  (d12)  for  U."  implies  that  B  £  anc(A).  Thus,  C  £  visibleT(A). 

It  is  easy  to  check  that  the  changes  correspond  correctly,  once  we  know  that  the 
definability  conditions  correspond.  Therefore,  h’  is  a  possibilities  mapping. 

□ 

Theorem  19:  h  *  h’  is  a  simulation  of  -A  by  JL". 

Proof:  Immediate  from  Lemmas  16, 18  and  1. 

□ 


8.  An  Algebra  Based  on  Value  Maps 


In  this  section,  we  introduce  another  data  structure.  This  one  records,  for  each  object  and  action, 
the  latest  value  of  the  object  which  is  available  to  the  action. 

A  value  man  is  a  partial  mapping  V  from  obj  x  act  to  values(obj),  such  that  the  following  properties 
are  satisfied: 

•  V(x,U)  is  defined  for  all  x, 

-  each  V(x,A)  €  values(x),  and 

-  for  each  x,  if  V(x,A)  and  V(x,B)  are  both  defined,  then  either  A  €  desc(B)  or  B  €  desc(A). 

If  A  is  the  least  action  for  which  V(x,A)  is  defined,  then  we  call  A  the  principal  action  for  x  in  V;  in 
this  case,  if  V(x,A)  =  u,  we  call  u  the  principal  value  of  x  in  V. 

We  define  another  algebra,  JL'"  =  <A"\  o'",  n”’>,  as  follows.  A'”  is  the  set  of  pairs  (T,V),  where  T 
is  an  AAT  and  V  is  a  value  map.  o'"  consists  of  the  trivial  AAT  consisting  of  a  single  node  U  with 
status  ’active’,  and  the  value  map  which  has  V(x,U)  equal  to  init(x),  for  all  x,  and  is  otherwise 
undefined,  fl’”  consists  of  the  six  operations  defined  below  in  (a)-(f). 

In  all  the  operations  to  follow,  we  assume  that  A  €  act  -  {U}.  Operations  (a)-(c),  (e)  and  (f)  are 
identical  to  the  corresponding  operations  of  JL".  Operation  (d)  is  also  identical,  except  for  the  change 
indicated  below. 

(d2)  Effect 

(d24)  V(x,A)  —  update(A)(u). 

If  V  is  a  version  map,  then  let  eval(V)  be  the  value  map  defined  on  exactly  the  same  domain,  so 
that  eval(V)(x,A)  =  result(x,V(x,A)). 

Lemma  20:  Let  V  be  a  version  map,  x  €  obj.  Then  the  principal  action  for  x  in  V  is  the 
same  as  the  principal  action  for  x  in  eval(V),  and  the  principal  value  of  x  in  V  is  the  same  as 
the  principal  value  of  x  in  eval(V). 

Proof:  Straightforward. 

□ 

Define  a  mapping  h”  from  .X"'  to  ^T’  as  follows.  Let  h’’(T,V)  *  {(T,W):  eval(W)  *  V}.  h"  maps  all 
operations  to  operations  of  the  same  name. 

Lemma  21 :  h"  is  a  simulation  of  X'  by  X”. 
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Proof:  It  suffices  to  show  that  h”  is  a  possibilities  mapping.  The  first  and  last 
properties  are  easy  to  check.  We  consider  the  second  property.  Let  it'  €  fl”'.  If  it'  is  one 
of  (a)-(c),  (e)  or  (f),  then  the  second  property  is  obvious. 

Assume  it'  is  performAu.  Assume  (T,V)  is  computable  in  .A’",  (T,W)  €  h’”(T,V),  (T,W) 
is  computable  in  j('\  n'  is  defined  for  (T,V)  and  (T’,V')  =  rr’(T,V).  Lemma  20  implies  that 
the  definability  condition  holds,  i.e.  that  it  =  performAu  is  defined  on  (T,W).  It  follows 
from  the  effects  of  the  two  operations  that  tt(T,W)  =  (T’,W  )  for  some  version  map  W’.  It 
suffices  to  show  that  eval(W')  =  V'.  Since  eval(W)  =  V.  we  only  need  to  consider  the 
values  which  change  because  of  the  present  operation,  i.e.  we  need  to  show  that 
result(x,W’(x,A))  =  V  (x,A).  But  result(x,W’(x,A))  =  result(x,W(x.B)  °  (A)),  where  B  is  the 
principal  action  for  x  in  W,  =  update(A)(result(x,W(x,B))),  =  update(A)(V(x,B))  since 
eval(W)  =  V.  But  B  is  the  principal  action  for  x  in  V,  by  Lemma  20,  so  u  =  V(x,B). 
Therefore,  the  latest  term  in  the  extended  equality  is  equal  to  update(A)(u),  which  is  equal 
to  V'(x,A)  by  definition. 


Theorem  22:  h  °  h‘  °  h"  is  a  simulation  of  J.  by  A.’” 
Proof:  Immediate  from  Lemmas  19, 21  and  1. 


9.  The  Algorithm 

A  slightly  simplified  version  (which  doesn't  distinguish  read  and  write  steps)  of  Moss'  algorithm  is 
described  using  a  distributed  algebra. 

Let  [k]  denote  {1 . k}. 

We  fix  a  particular  k,  as  the  number  of  nodes.  For  convenience,  we  designate  the  nodes  by 
identifiers  in  [k]. 

Let  home:  (act  ■  {U})  U  obj  -*  [k],  with  home(A)  =  home(object(A))  for  all  A  €  accesses.  Thus, 
home  partitions  the  actions  and  objects  among  the  nodes.  Let  origin:  (act  •  {U})  -*  [k]  be  defined  so 
that  origin(A)  =  home(A)  if  parent(A)  =  U,  and  =  home(parent(A))  otherwise. 

In  order  to  describe  the  local  state  of  each  node,  it  is  convenient  to  define  a  generalization  of 
action  trees.  Thus,  we  define  an  action  summary  T  to  consist  of  components  verticesr  activer 
committedT.  and  aborted.,.,  where  verticesT  is  any  finite  subset  of  act  (not  necessarily  closed  under 


•  • 
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the  parent  operation),  and  the  remaining  three  components  form  a  partition  of  vertices.,..  The  notation 
done.,  and  status,  is  also  extended  in  the  obvious  way.  If  T  and  T'  are  action  summaries  or  action 
trees,  w  e  say  that  T  <  T  provided  vertices,  C  vertices,,,  and  correspondingly  for  committed,  and 
aborted,.  We  also  define  T"  =  T  U  T'  so  that  vertices,,.  =  vertices,  U  vertices,,,  and  similarly  for 
committed,,,  and  aborted,,,. 

We  describe  the  algorithm  as  yet  another  algebra,  “B  =  <B,  r,  P>,  which  is  distributed  over]  =  [k] 
U  {'buffer'}.  The  components  are  defined  as  follows.  B  is  the  Cartesian  product  of  B,,  where  i  €  I.  If  i 
£  [k],  then  B(  consists  of  the  values  of  variables  i.T  which  can  contain  an  action  summary,  and  i.V, 
which  can  contain  a  value  map  defined  only  for  pairs  (x,A)  having  home(x)  =  i.  If  i  =  'buffer',  then  Bj 
consists  of  the  values  of  variables  M..  j  £  [k],  each  of  which  can  contain  an  action  summary.  (The 
contents  of  are  intended  to  denote  information  which  has  been  sent  to  node  j.) 

r  is  a  vector  of  initial  states  for  all  the  components.  If  i  £  [k],  then  r.  has  i.T  initialized  as  the  trivial 
action  summary,  having  no  vertices,  and  i.V  initialized  so  that  i.V(x.U)  =  init(x)  for  all  x  with  home(x) 
=  i,  and  otherwise  undefined.  If  i  =  'buffer',  then  r.  has  each  equal  to  the  trivial  action  summary. 

The  algorithm  has  eight  kinds  of  operations.  Six  correspond  closely  to  the  six  operations  of  X'” 
four  record  the  creation,  commit  and  abort  of  actions  and  the  performance  of  data  accesses  and  two 
manipulate  locks.  The  other  two  correspond  to  the  sending  and  receiving  of  messages.  The 
operations  are  listed  below.  As  usual,  we  present  them  by  listing  a  precondition  and  the  effect  on  the 
state.  In  addition,  we  define  d(w),  the  doer  of  each  step. 

In  all  cases,  we  assume  that  A  £  act  -  {U}; 

(a)  create|  A,  origin(A)  =  i 

(al)  Precondition 

(all)  A  i  i. vertices,. 

(al 2)  If  parent(A)  *  U,  then  parent(A)  £  i.vertices,  •  i.committed,. 

(al3)  If  (B,A)  €  seq  and  B  *  A,  then  B  €  i.done,.. 

(a2)  Effect 

(a21)  i.vertices,  «-  i.vertices,  U  {A}. 

(a22)  i.status,(A) «-  ’active’. 

(a3)  Doer:  i 

(b)  commit  j  A,  A  C  accesses,  home(A)  •  i 

(bt)  Precondition 

(bl1)A€  i.active,. 

<b12)  children(A)  ft  i.vertices,  Q  i.done,. 
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Proof:  It  suffices  to  show  that  h"  is  a  possibilities  mapping.  The  first  and  last 
properties  are  easy  to  check.  We  consider  the  second  property.  Let  w'  €  fl".  If  w'  is  one 
of  (a)-(c),  (e)  or  (f),  then  the  second  property  is  obvious. 

Assume  v'  is  perform^.  Assume  (T,V)  is  computable  in  A"\  (T,W)  €  h  ”’(T,V),  (T,W) 
is  computable  in  A”.  v'  is  defined  for  (T,V)  and  (T',V’)  =  w'(T.V).  Lemma  20  implies  that 
the  definability  condition  holds,  i.e.  that  v  =  performAu  is  defined  on  (T,W).  It  follows 
from  the  effects  of  the  two  operations  that  ir(T,W)  =  (T',W  )  for  some  version  map  W\  It 
suffices  to  show  that  eval(W')  =  V’.  Since  eval(W)  =  V,  we  only  need  to  consider  the 
values  which  change  because  of  the  present  operation,  i.e.  we  need  to  show  that 
result(x,W'(x,A))  =  V’(x,A).  But  result(x,W’(x,A))  =  result(x,W(x.B)  °  (A)),  where  B  is  the 
principal  action  for  x  in  W,  =  update(A)(result(x,W(x,B))),  =  update(A)(V(x,B))  since 
eval(W)  =  V.  But  B  is  the  principal  action  for  x  in  V,  by  Lemma  20,  so  u  =  V(x,B). 
Therefore,  the  latest  term  in  the  extended  equality  is  equal  to  update(A)(u),  which  is  equal 
to  V’(x.A)  by  definition. 

□ 

Theorem  22:  h  °  h’  °  h"  is  a  simulation  of  A  by  J.”’. 

Proof:  Immediate  from  Lemmas  19,  21  and  1. 

□ 

9.  The  Algorithm 

A  slightly  simplified  version  (which  doesn't  distinguish  read  and  write  steps)  of  Moss’  algorithm  is 
described  using  a  distributed  algebra. 

Let  [k]  denote  {1 . k}. 

We  fix  a  particular  k,  as  the  number  of  nodes.  For  convenience,  we  designate  the  nodes  by 
identifiers  in  [k]. 

Let  home:  (act  •  {U})  U  obj  -*  (kj,  with  home(A)  =  home(object(A))  for  all  A  €  accesses.  Thus, 
home  partitions  the  actions  and  objects  among  the  nodes.  Let  origin:  (act  •  (U>)  -♦  [k]  be  defined  so 
that  origin(A)  =  home(A)  if  parent(A)  *  U,  and  =  home(parent(A))  otherwise. 

In  order  to  describe  the  local  state  of  each  node,  it  is  convenient  to  define  a  generalization  of 
action  trees  Thus,  we  define  an  action  summary  T  to  consist  of  components  verting  activer 
£Smmifl£dr  and  abPftedT,  where  verticesT  is  any  finite  subset  of  act  (not  necessarily  closed  under 
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(b2)  Effect 

(b21)  i.statusT(A) «-  committed’. 

(b3)  Doer:  i 

(c)  abort,  A.  A  $  accesses,  home(A)  =  i 

I, #4 

(cl)  Precondition 

(ell)  A  €  i.activer 

(c2)  Effect 

(c2l)  i.statusT(A)  *—  aborted'. 

(c3)  Doer:  i 

(d)  perfornv  A  A  €  accesses,  x  =  object(A),  u  €  values(x), 
home(A)  =  i,’hbme(x)  =  i 

(dl)  Precondition 

(dll)  A  €  i.activer 

(d  1 2)  {B:  i.V(x.B)}  is  defined}  C  proper  anc(A). 
(d13)  u  is  the  principal  value  of  x  in  i.V. 

(d2)  Effect 

(d2l)  i.statusT(A)  ♦-  committed’. 

(d22)  i.V(x,A) «-  update(A)(u). 

(d3)  Doer:  i 


(e)  release-lock.  A  ,  home(x)  =  i 

(el)  Precondition 

(ell)  i.V(x.A)  is  defined. 

(el  2)  A  €  i.committedr 

(e2)  Effect 

(e21)  i.V(x,parent(A))  •-  i.V(x.A). 
(e22)  i.V(x,A) «-  undefined. 

(e3)  Doer:  i 


(f)  lose-lock.  A  K,  home(x)  =  i 

(fl)  Precondition 

(fl  1)  i.V(x.A)  is  defined. 

(f  1 2)  anc(A)  D  i. aborted.,.  *  0. 

(f  2)  Effect 

(121)  i.V(x,A) «-  undefined. 


« 
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(f3)  Doer:  i 

(g)  send  .  T„  T'  an  action  summary 

(gl)  Precondition 

(gll)T’  <i.T. 

(g2)  Effect 

(g21)  <—  M.  U  T. 

(g3)  Doer:  i 

(h)  receive,  T„  T’  an  action  summary 

(hi)  Precondition 

(hi  1)  T’  <Mr 

(h2)  Effect 

(h21)  i.T  i.T  U  T’. 

(h3)  Doer:  buffer 

That  is,  any  communication  is  allowed  at  any  time,  which  sends  any  of  the  action  summary 
information  from  i  to  j. 

Lemma  23:  is  an  algebra,  which  is  distributed  over  I  using  d. 

Proof:  Straightforward. 

□ 

Now  define  an  interpretation  h’”  from  3  to  A'"  by  mapping  the  first  six  types  of  operations  to  the 
operations  of  the  same  name,  suppressing  the  index  in  [k],  and  the  other  two  types  of  operations  to  A. 

If  b  €  B,  then  we  add  "[b]"  to  the  end  of  a  variable  name  to  denote  the  value  of  that  variable  in 
state  b. 

For  each  i  €  I,  we  define  a  mapping  h.  from  B  to  3(A"’)  as  follows.  If  i  €  [k],  then  (T,V)  €  h.(b) 
exactly  if  (T,V)  is  computable  in  jl’"  and  the  following  are  true: 

-  verticesT  D  {A:  origin(A)  =  i}  C  i.verticesT[b]  C  verticesT. 

•  committed.,.  D  {A:  home(A)  *  i}  C  i.committedT[b]  C  committedr 

-  abortedT  n  {A:  home(A)  =  i}  C  i.abortedT[b]  Q  aborted.,. 
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•  i.V(b]  is  the  restriction  of  V  to  {(x,A):  home(x)  *  i}. 

If  i  =  ’buffer’,  then  (T,V)  €  h.(b)  exactly  if  (T.V)  is  computable  in  jt’”  and  M^b]  <  T  for  each  j  G  [k]. 

If  (T,V)  €  h(b),  then  we  also  say  that  (T,V)  is  i- consistent  with  b. 

Lemma  24:  For  all  i  €  I,  o’"  G  h.(-r). 

Proof:  Immediate  from  the  definitions. 

□ 

Lemma  25:  Assume  i  €  I.  Assume  v'  G  P,  d(w)  =  i,  w  =  h”’(ir’)  G  IT”,  a  and  a’  are 
computable  in  .A’”  and  “B,  respectively,  a  €  h.(a')  and  a'  G  domain(w’).  Then  a  G 
domain(w). 

Proof:  Let  a  be  (T,V). 

First,  assume  that  w’  is  create,  A,  so  that  v  is  createA.  Then  origin(A)  =  i.  Since  a’  G 
domain(w’),  A  G  i.verticesT[a’].  Since  (T,V)  is  i-consistent  with  a’,  A  G  verticesT,  thus 
showing  (all).  If  parent(A)  =  U,  then  the  fact  that  (T.V)  is  computable  and  Lemma 
17  imply  that  parent(A)  G  active.,.,  thus  showing  (a12)  for  this  case.  On  the  other  hand,  if 
parent! A)  *  U,  then  the  precondition  for  w’  shows  that  parent! A)  G  i.verticesT[a’] 

•  i.committedT[a’].  The  fact  that  (T,V)  is  i-consistent  with  a’  implies  that  parent(A)  G 
vertices,.  -  committed,.  Thus,  (a12)  holds.  If  (B,A)  G  seq  and  B  *  A,  then  the  precondition 
for  v‘  shows  that  B  €  i.done,[a’].  The  fact  that  (T,V)  is  i-consistent  with  a’  implies  that  B  G 
done,,  thus  showing  (a13). 

Second,  consider  =  commit,  A,  so  that  w  is  commitA.  The  precondition  for  w’ 
shows  that  A  G  i.active,[a’].  The  fact  that  (T,V)  is  i-consistent  with  a’  implies  that  A  G 
active,,  thus  showing  (bll).  The  precondition  for  w’  shows  that  children(A)  fl 
i.vertices,[a’]  C  i.done,[a’].  The  fact  that  (T,V)  is  i-consistent  with  a’  implies  that 
children(A)  fl  vertices,  C  done,,  thus  showing  (b12). 

Third,  assume  ir’  =  abort.  A,  so  that  v  is  abort A.  This  case  is  similar  to  the  first  half 
of  the  previous  case. 

Fourth,  assume  w’  =  perform. . , ,,  so  that  m  is  perform. , .  Then  home(A)  * 
i.  Assume  object(A)  *  x,  so  that  home(x)  =  i. (dll)  is  argued  as  in  the  preceding  two 
cases.  Weshow(d12).  Choose  B  so  that  V(x,B)  is  defined.  Since  (T.V)  is  i-consistent  with 
a’  and  home(x)  *  i,  i.V(x,B)fa’J  is  also  defined.  The  precondition  for  w’  implies  that  B  G 
proper-anc(A),  as  needed.  Next,  we  show  (d13).  The  precondition  for  w’  implies  that  u  is 
the  principal  value  for  x  in  i.V[a’].  Since  (T,V)  is  i-consistent  with  a’,  u  is  also  the  principal 
value  for  x  in  V,  as  needed. 
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If  it'  is  one  of  (e)  or  (f),  then  v'  involves  some  x  with  home(x)  =  i.  Assume  that  v' 
involves  A.  The  precondition  for  v'  implies  that  i.V(x,A)[a’]  is  defined.  Since  (T,V)  is  i- 
consistent  with  a’,  it  follows  that  V(x,A)  is  defined,  thus  showing  both  (ell)  and  (fl  1). 

If  is  a  release-lock.  .  step,  then  the  precondition  for  it'  implies  that  A  € 
i.committedT[a’]}.  Since  (T,V)  is  i-consistent  with  a’,  A  £  committed.,.,  thus  showing  (e12). 

Finally,  if  w’  is  a  lose-lock,  A  step,  the  precondition  for  it'  implies  that  anc(A)  ft 
i.abortedT[a’]  *  0.  Since  (T,V)  is  i-consistent  with  a’,  it  follows  that  A  is  dead  in  T,  thus 
showing  (fl 2). 

□ 

Lemma  26:  Assume  i,  j  £  I.  Assume  it'  €  P,  d(w’)  =  i,  it  =  h’’’(w’)  €  OP’”,  a  and  a’  are 
computable  in  U’”  and  respectively,  a  €  h.(a')  fl  h.(a’),  and  a’  €  domain(w’).  If  b’  = 
w'(a’),  then  w(a)  €  tv(b'). 

Proof:  Let  a  =  (T,V)  and  w(a)  =  (T’,V’).  Lemma  25  implies  that  a  €  domain(w). 

If  j  *  i,  then  it  is  easy  to  see  that  all  the  containments  are  preserved,  since  the  sets  of 
actions  on  the  right  sides  are  only  increased,  while  the  sets  on  the  left  sides  are 
unchanged.  The  property  involving  V  is  also  easily  seen  to  be  preserved.  So  assume  j  = 
i.  We  consider  the  six  kinds  of  operations  in  turn. 

First,  assume  it'  is  of  the  form  create.  . ,  commit.  .  or  abort.  . .  Then  V’  =  V,  and  T’ 

l,A  I, A  I, A 

is  exactly  like  T  except  that  A  is  added  to  verticesT,  committedT  or  aborted.,  as  appropriate. 
Also,  b’  is  just  like  a’  except  that  A  is  added  to  i.vertices,,  i.committed.,,  or  i.abortedr,  as 
appropriate.  Since  (T,V)  is  i-consistent  with  a’,  it  is  easy  to  see  that  all  the  containments 
change  in  such  a  way  as  to  insure  that  (T',V’)  is  i-consistent  with  b’. 

If  w’  is  of  the  form  perform.  A  ,  then  home(A)  =  i.  Let  x  =  object(A).  Then  home(x) 
*  i.  T’  is  just  like  T  except  that  A  is  added  to  committed.,  and  is  given  label  u,  and  data.,  is 
augmented  with  all  pairs  in  {(B,A):  B  €  datastepsT(x)}  U  (A, A).  V’  is  just  like  V  except  that 
V'(x.A)  is  defined  to  be  update(A)(u).  b’  is  just  like  a'  except  that  A  is  added  to 
i.committedT,  and  i.V(x,A)  is  defined  to  be  update(A)(u).  Since  (T,V)  is  i-consistent  with  a’, 
it  is  easy  to  see  that  (T'.V)  is  i-consistent  with  b':  most  of  the  properties  are  immediate. 
We  just  check  the  last  property;  the  only  change  involves  A.  We  have  already  noted  that 
i.V(x,A)[b']  *  update(A)(u)  =  V’(x,A).  This  is  as  needed. 

If  *'  is  of  one  of  the  forms  (e)  or  (f),  then  T’  «  T  and  i.T(b’J  ■  i.T[a'].  Thus,  it  is  clear 
that  the  containments  are  ail  preserved.  It  is  also  easy  to  check  that  the  final  property  is 
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preserved. 

□ 

Lemma  27:  Assume  i,  j  €  I.  Assume  it'  €  P,  d(w’)  =  i,  h(w’)  =  A,  a  and  a'  are 
computable  in  A'"  and  respectively,  a  €  h.(a’)  fl  h.(a’),  and  a’  €  domain(w’).  If  b’  = 
ir'(a'),  then  a  6  h.(b’). 

Proof:  Let  a  =  (T,V). 

First,  assume  that  w’  is  sencL .,  T,.  If  j  *  'buffer’,  then  bV  =  a’.,  and  the  conclusion  is 
immediate.  So  assume  that  j  =  buffer’.  Since  (T,V)  is  j-consistent  with  a’,  each  action 
summary  M^a’j  <  T  The  precondition  for  w'  implies  that  T’  <  i.T[a’].  Since  (T,V)  is 
i  consistent  with  a’,  it  follows  that  i.T[a]  <  T,  and  hence  T'  <  T.  Now,  each  M([b’]  <  M^a’] 
U  T’.  Therefore,  each  MJb’]  <  T,  as  needed. 

Next,  assume  that  w’  is  of  the  form  receive^  T„  so  that  i  =  ’buffer’.  The  only  nontrivial 
case  is  j  =  i’.  We  must  show  that  j.T[b’]  <  T.  But  j.T[b’]  =  j.T[a']  U  T’.  The  j- consistency 
of  (T.V)  with  a'  shows  that  j.T[a  ]  <  T.  The  precondition  for  it'  shows  that  T’  <  M.[a’]. 
Since  (T.V)  is  i  consistent  with  a’,  M.[a  ]  <  T.  Thus,  T’  <  T.  Therefore,  j.T[b')  <  T,  as 
needed. 

□ 

Lemma  28:  h’"  and  fv,  i  €  I,  form  a  local  mapping  from  $  to  -A’". 

Proof:  Immediate  from  Lemmas  24,  25,  26,  and  27. 

□ 

Now  extend  h  to  B  U  P,  by  defining  b"’(b)  =  D.  e  (Irfb). 

Lemma  29:  h’”  is  a  simulation  of  .A"'  by 

Proof:  Immediate  by  Lemma  28,  Lemma  4  and  Lemma  3. 

□ 

We  are  now  ready  to  prove  the  main  correctness  theorem. 

Theorem  30:  The  mapping  h  •  h’  ®  h”  «  h’"  is  a  simulation  of  A  by 

Proof:  Immediate  from  Lemma  29,  Lemma  1  and  Theorem  22. 

□ 
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